Accepting the eventuality of a cyber attack or breach is the first step, risk managers must then find a way to implement an efficient strategy throughout the company

Seth Berman

The report into Waking Shark II, the Bank of England-backed cyber exercise designed to test the UK wholesale banking sector’s ability to deal with a hypothetical cyber attack, has set out a range of measures to boost resilience and improve communication with key stakeholders. Although the financial services sector has long been considered a lucrative target for hackers, cyber criminals are casting their nets much wider, with ever increasing numbers of attacks on almost all industries. Technology alone cannot prevent all incidents and organisations must accept that the key question is when, and not whether, a breach will occur.

As the Waking Shark initiative has reinforced, preparation and incident response are key factors in minimising risk and the longer-term fallout from an attack. This process must start with an assessment of the risks, as they relate to each organisation, irrespective of whether these are politically or financially motivated or seemingly random.

At the centre of this strategy is the security audit, sometimes referred to as a cyber health check, which will, ultimately, enable an organisation to respond appropriately and effectively when faced with a breach. In common with a financial audit but not necessarily as all-encompassing, this should be carried out regularly by external experts with the appropriate level of knowledge and insight, alongside key individuals from within the firm. The audit will allow a risk-based review of the effectiveness of information systems and suggest remedial steps to improve overall security against a backdrop of rapidly changing cyber threats.

The first step of an audit is to review existing controls and procedures. Most firms already have firewalls, password policies, encrypted data protocols and restricted access controls in place to counter potential cyber threats, alongside policies governing mobile devices, cloud storage and data sharing. But when were these last reviewed, let alone put to the test?

Of course, the risk of data theft goes beyond the risk posed by hackers – data theft can also emanate from within a company. From staff inadvertently activating viruses or malware by clicking on links in emails, to malicious insiders, motivated by the prospect of financial gain or revenge, firms need a thorough understanding of all such threats and a plan to combat them.

The use of bring your own device (BYOD) and of personal online accounts have become increasingly prevalent, with staff using their personal smartphones, tablets and preferred cloud providers to stay productive while at work and out of the office. This creates new opportunities for hackers. Any internal review should, therefore, establish everyday working practices, including the use of personal smartphones and data storage for work-related tasks. It is a process that should also address the use of other portable devices, as the accidental loss of an unencrypted laptop or disk drive could have serious financial and reputational consequences.

A security audit does not involve only ensuring the proper policies, firewalls and virus detection. It must focus on the human element as well. For example, staff must recognise the risk posed by phishing emails and know how to report such incidents. Although the vast majority may hit the Delete button on receiving a suspicious email, only one unwitting member of staff needs to fall for a scam before security has been breached. Such attempts at obtaining information are commonplace and may introduce a virus, activate malware to log keystrokes, copy emails or even record phone conversations. In response, companies must ensure they train their employees on the risk of cyber attacks and how to prevent them. Employees must also know how to report potential cyber security incidents, so that an initial breach can be contained. Prompt reporting allows threats to be dealt with immediately.

Waking Shark is one of many initiatives to raise awareness and preparedness, in the face of increasing sophistication and determination of cyber adversaries. With a growing number of organisations facing significant financial, reputational and organisational damage in the wake of attacks, risk management professionals must ensure such threats are fully understood and backed by a strategy that is fit for purpose.

Seth Berman is executive managing director and UK head of Stroz Friedberg, an investigations, intelligence and risk management company.